OpenVPN
ssl_verify.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_VERIFY_H_
30 #define SSL_VERIFY_H_
31 
32 #include "syshead.h"
33 #include "misc.h"
34 #include "ssl_common.h"
35 
36 /* Include OpenSSL-specific code */
37 #ifdef ENABLE_CRYPTO_OPENSSL
38 #include "ssl_verify_openssl.h"
39 #endif
40 #ifdef ENABLE_CRYPTO_MBEDTLS
41 #include "ssl_verify_mbedtls.h"
42 #endif
43 
44 #include "ssl_verify_backend.h"
45 
46 /*
47  * Keep track of certificate hashes at various depths
48  */
49 
51 #define MAX_CERT_DEPTH 16
52 
54 struct cert_hash {
55  unsigned char sha256_hash[256/8];
56 };
57 
59 struct cert_hash_set {
61 };
62 
63 #define VERIFY_X509_NONE 0
64 #define VERIFY_X509_SUBJECT_DN 1
65 #define VERIFY_X509_SUBJECT_RDN 2
66 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
67 
69 {
73 };
74 
91 enum tls_auth_status
93 
109 #define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
110 
118 
124 void cert_hash_free(struct cert_hash_set *chs);
125 
131 void tls_lock_cert_hash_set(struct tls_multi *multi);
132 
138 void tls_lock_common_name(struct tls_multi *multi);
139 
146 const char *tls_common_name(const struct tls_multi *multi, const bool null);
147 
154 const char *tls_username(const struct tls_multi *multi, const bool null);
155 
162 bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
163 
177 void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
178  struct tls_session *session);
179 
180 
181 
190 void
191 verify_crresponse_script(struct tls_multi *multi, const char *cr_response);
192 
200 void
201 verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response);
202 
212 void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
213 
215 {
216  const struct x509_track *next;
217  const char *name;
218 #define XT_FULL_CHAIN (1<<0)
219  unsigned int flags;
220  int nid;
221 };
222 
223 /*
224  * Certificate checking for verify_nsCertType
225  */
227 #define NS_CERT_CHECK_NONE (0)
228 
229 #define NS_CERT_CHECK_SERVER (1<<0)
230 
231 #define NS_CERT_CHECK_CLIENT (1<<1)
232 
234 #define OPENVPN_KU_REQUIRED (0xFFFF)
235 
236 /*
237  * TODO: document
238  */
239 #ifdef ENABLE_MANAGEMENT
240 bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
241 
242 #endif
243 
251 void auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
252 
253 static inline const char *
255 {
256  return multi->client_reason;
257 }
258 
260 void tls_x509_clear_env(struct env_set *es);
261 
262 #endif /* SSL_VERIFY_H_ */
MAX_CERT_DEPTH
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:51
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:220
ssl_verify_backend.h
auth_deferred_status
Definition: ssl_common.h:157
es
struct env_set * es
Definition: test_pkcs11.c:133
cert_hash_set::ch
struct cert_hash * ch[MAX_CERT_DEPTH]
Array of certificate hashes.
Definition: ssl_verify.h:60
cert_hash::sha256_hash
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:55
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
ssl_verify_openssl.h
ssl_verify_mbedtls.h
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:177
tls_client_reason
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:254
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1154
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1251
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:590
tls_auth_status
tls_auth_status
Definition: ssl_verify.h:68
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:292
verify_crresponse_script
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Definition: ssl_verify.c:1420
x509_track::nid
int nid
Definition: ssl_verify.h:220
misc.h
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:71
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:113
verify_crresponse_plugin
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
Definition: ssl_verify.c:1407
x509_track::name
const char * name
Definition: ssl_verify.h:217
x509_track::next
const struct x509_track * next
Definition: ssl_verify.h:216
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
syshead.h
cert_hash_set
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
env_set
Definition: env_set.h:42
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition: ssl_verify.c:1774
tls_multi::client_reason
char * client_reason
Definition: ssl_common.h:637
x509_track::flags
unsigned int flags
Definition: ssl_verify.h:219
cert_hash
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:138
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin,...
Definition: ssl_verify.c:1592
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:817
ssl_common.h
session
Definition: keyingmaterialexporter.c:56
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1836
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Remove the given key state's auth deferred status auth control file, if it exists.
Definition: ssl_verify.c:967
user_pass
Definition: misc.h:56
x509_track
Definition: ssl_verify.h:214
TLS_AUTHENTICATION_DEFERRED
@ TLS_AUTHENTICATION_DEFERRED
Definition: ssl_verify.h:72
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:234